Fix #2326

cowtowncoder · cowtowncoder · commit dda513bd7251 · 2019-05-14T07:42:10.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -20,6 +20,7 @@ Project: jackson-databind
  (reported by Cyril M)
 #2324: `StringCollectionDeserializer` fails with custom collection
  (reported byb Daniil B)
+#2326: Block one more gadget type (CVE-2019-12086)
 - Prevent String coercion of `null` in `WritableObjectId` when calling `JsonGenerator.writeObjectId()`,
   mostly relevant for formats like YAML that have native Object Ids
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -80,6 +80,9 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
+        // [databind#2326] (2.9.9): one more 3rd party gadget
+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,9 @@ public class SubTypeValidator`
`80`	`80`	`s.add("org.apache.openjpa.ee.JNDIManagedRuntime");`
`81`	`81`	`s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");`
`82`	`82`
	`83`	`+ // [databind#2326] (2.9.9): one more 3rd party gadget`
	`84`	`+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");`
	`85`	`+`
`83`	`86`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`84`	`87`	`}`
`85`	`88`